欢迎关注我的公众号:
目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:
istio多集群探秘,部署了50次多集群后我得出的结论
istio防故障利器,你知道几个,istio新手不要读,太难!
不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限
不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs
不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了
不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization
不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs
不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs
不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr
不懂envoyfilter也敢说精通istio系列-08-连接池和断路器
不懂envoyfilter也敢说精通istio系列-09-http-route filter
不懂envoyfilter也敢说精通istio系列-network filter-redis proxy
不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager
不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册
学习目标
什么是WorkloadEntry
WorkloadEntry enables operators to describe the properties of a single non-Kubernetes workload such as a VM or a bare metal server as it is onboarded into the mesh. A WorkloadEntry must be accompanied by an Istio ServiceEntry that selects the workload through the appropriate labels and provides the service definition for a MESH_INTERNAL service (hostnames, port properties, etc.). A ServiceEntry object can select multiple workload entries as well as Kubernetes pods based on the label selector specified in the service entry.
资源详解
Field | Type | Description | Required |
| | Address associated with the network endpoint without the port. Domain names can be used if and only if the resolution is set to DNS, and must be fully-qualified without wildcards. Use the form unix:///absolute/path/to/socket for Unix domain socket endpoints. | Yes |
| | Set of ports associated with the endpoint. If the port map is specified, it must be a map of servicePortName to this endpoint’s port, such that traffic to the service port will be forwarded to the endpoint port that maps to the service’s portName. If omitted, and the targetPort is specified as part of the service’s port specification, traffic to the service port will be forwarded to one of the endpoints on the specified | No |
| | One or more labels associated with the endpoint. | No |
| | Network enables Istio to group endpoints resident in the same L3 domain/network. All endpoints in the same network are assumed to be directly reachable from one another. When endpoints in different networks cannot reach each other directly, an Istio Gateway can be used to establish connectivity (usually using the | No |
| | The locality associated with the endpoint. A locality corresponds to a failure domain (e.g., country/region/zone). Arbitrary failure domain hierarchies can be represented by separating each encapsulating failure domain by /. For example, the locality of an an endpoint in US, in US-East-1 region, within availability zone az-1, in data center rack r11 can be represented as us/us-east-1/az-1/r11. Istio will configure the sidecar to route to endpoints within the same locality as the sidecar. If none of the endpoints in the locality are available, endpoints parent locality (but within the same network ID) will be chosen. For example, if there are two endpoints in same network (networkID “n1”), say e1 with locality us/us-east-1/az-1/r11 and e2 with locality us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality will prefer e1 from the same locality over e2 from a different locality. Endpoint e2 could be the IP associated with a gateway (that bridges networks n1 and n2), or the IP associated with a standard service endpoint. | No |
| | The load balancing weight associated with the endpoint. Endpoints with higher weights will receive proportionally higher traffic. | No |
| | The service account associated with the workload if a sidecar is present in the workload. The service account must be present in the same namespace as the configuration ( WorkloadEntry or a ServiceEntry) |
address
wle-mongodb-address.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle
spec:
address: 192.168.198.154
labels:
app: mongodb
instance-id: vm1
se-mongodb.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mongodb-se
spec:
hosts:
- mongodb.vm.demo
addresses:
- 192.168.198.177
location: MESH_INTERNAL
ports:
- number: 27017
name: tcp
protocol: TCP
targetPort: 27017
resolution: STATIC
workloadSelector:
labels:
app: mongodb
instance-id: vm1
labels
wle-mongodb-labels.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle
spec:
address: 192.168.198.154
labels:
app: mongodb
instance-id: vm1
locality
wle-mongodb-locality-01.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle-01
spec:
address: 192.168.198.154
labels:
app: mongodb
instance-id: vm1
type: vm
locality: "us-central1/z1/sz01"
wle-mongodb-locality-02.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle-02
spec:
address: 192.168.198.155
labels:
app: mongodb
instance-id: vm1
type: vm
locality: "us-central2/z2/sz02"
se-mongodb-locality.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mongodb-se
spec:
hosts:
- mongodb.vm.demo
addresses:
- 192.168.198.177
location: MESH_INTERNAL
ports:
- number: 27017
name: tcp
protocol: TCP
targetPort: 27017
resolution: STATIC
workloadSelector:
labels:
app: mongodb
type: vm
dr-mongodb-locality-failover.yaml
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: dr-mongodb
spec:
host: mongodb.vm.demo
trafficPolicy:
loadBalancer:
consistentHash:
useSourceIp: true
localityLbSetting:
enabled: true
failover:
- from: us-central1/z1/sz01
to: us-central2/z2/sz02
- from: us-central2/z2/sz02
to: us-central1/z1/sz01
outlierDetection:
consecutive5xxErrors: 1
interval: 1s
baseEjectionTime: 1m
network
network和多集群有关
wle-mongodb-network.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle
spec:
address: 192.168.198.154
labels:
app: mongodb
instance-id: vm1
type: vm
network: n1
ports
wle-mongodb-ports.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle
spec:
address: 192.168.198.154
ports:
mongodb: 27017
labels:
app: mongodb
instance-id: vm1
type: vm
serviceAccount
wle-mongodb-serviceAccount.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle
spec:
serviceAccount: mongodb-vm
address: 192.168.198.154
ports:
mongodb: 27017
labels:
app: mongodb
instance-id: vm1
type: vm
加了serviceaccount访问不了
虚拟机上必须安装sidecar
将在workloadGroup中进行介绍
weight
wle-mongodb-weight-01.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle-01
spec:
weight: 20
address: 192.168.198.154
ports:
mongodb: 27017
labels:
app: mongodb
instance-id: vm1
type: vm
wle-mongodb-weight-02.yaml
apiVersion: networking.istio.io/v1beta1
kind: WorkloadEntry
metadata:
name: mongo-wle-02
spec:
weight: 80
address: 192.168.198.155
ports:
mongodb: 27017
labels:
app: mongodb
instance-id: vm2
type: vm
se-mongodb.yaml
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: mongodb-se
spec:
hosts:
- mongodb.vm.demo
addresses:
- 192.168.198.177
location: MESH_INTERNAL
ports:
- number: 27017
name: tcp
protocol: TCP
targetPort: 27017
resolution: STATIC
workloadSelector:
labels:
app: mongodb
type: vm
dr-mongodb.yaml
apiVersion: networking.istio.io/v1alpha3标签:name,locality,mongodb,labels,istio,yamlapiVersion,详解,workloadentry From: https://blog.51cto.com/u_11979904/5948170
kind: DestinationRule
metadata:
name: dr-mongodb
spec:
host: mongodb.vm.demo
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN